CVE-2022-36604

Vulnerability

Canaan Avalon ASIC Miner firmware versions 2020.3.30 and below contain an access control vulnerability that allows an unauthenticated attacker to arbitrarily change user passwords. The issue resides in the password reset functionality, which does not verify the current password or require authentication. The code path is reachable over the network via a crafted POST request to the device's web interface. Affected versions are all releases up to and including 2020.3.30 [1].

Exploitation

An attacker does not need any authentication, user interaction, or special network position beyond network access to the miner's management interface. The exploit involves sending a specially crafted POST request to the password change endpoint, which directly alters the password for any account (including admin). No race window or additional privileges are required [1].

Impact

Successful exploitation allows the attacker to change the password of any user, thereby gaining full administrative control over the device. This leads to complete compromise of confidentiality, integrity, and availability of the mining unit, including the ability to modify settings, extract cryptocurrency wallet information, and disrupt mining operations [1].

Mitigation

As of the publication date (2022-09-01), no official patch has been released by Canaan. The vendor was notified before publication [1]. Users should restrict network access to the management interface by placing miners on isolated VLANs with strict firewall rules and ensure the firmware is updated if a fix becomes available. This vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.